ProPublica’s Julia Angwin broke the news recently that Google has quietly begun to merge personally identifiable information (PII) with the ad-serving data collected via DoubleClick. This announcement was a long time coming. The writing was on the wall when Google announced in 2012 that it was consolidating its data collection and use policies across all of its business units into a single privacy policy.

I’ve been asked to comment on this development in a number of forums. The first question I’m usually asked is whether Google’s move is good for privacy and if Google is violating the NAI Code of Conduct. I think the answer is no regarding the NAI Code, although I’ll admit that Google’s explanation of things to ProPublica was a bit cryptic.

From what I can gather, Google is taking the position that it has a user’s consent for its merger of user PII with non-PII. And while I think there’s an interesting discussion to be had regarding what it means to manifest consent in the age of one-click terms of service, I’ll leave the determination of whether or not this move is a good thing for privacy to others.

What About Us?

The next question I’m often asked is whether it is possible for an ad tech company without direct consumer relationships to merge PII with ad-serving data. That’s an even more interesting question. The NAI Code doesn’t entirely prohibit the merger of PII with ad-serving data. Rather, the NAI imposes certain obligations upon member companies seeking to merge the two data sets.

Many in the ad tech marketplace have long assumed that the NAI Code either prohibits PII merger or requires affirmative consent for such PII merger. Neither are entirely true. For one thing, the NAI’s merger rules apply mostly to interest-based advertising ,which has become a much smaller part of the overall ad targeting tool kit than it used to be.

Moreover, the NAI Code does allow for the prospective merger of ad-serving data with PII. Here, companies may provide “robust notice” and opt-out choice under the NAI Code. That begs the question: What exactly is robust notice? The concept hasn’t been fleshed out by the NAI and has received relatively little attention elsewhere.

Is the AdChoices icon an example of robust notice? Maybe. The enhanced notice icon was designed to communicate important privacy concepts to consumers outside of traditional privacy notices, and PII merger seems like as important a concept as any. I’m not attempting to provide legal advice here. Rather, I’d encourage anyone reading this who wants to better understand the rules to have a long discussion with their privacy counsel.

There are two issues that are often raised in the context of PII merger which are worth highlighting.

Is There Still A Privacy Benefit To Remaining In The Pseudonymous World?

The first question is whether or not there’s an advantage to limiting one’s collection of data to pseudonymous data. In other words, should ad tech companies continue to use cookie IDs and mobile ad IDs that are linked to a device rather than an email address, which can be used to identify an actual person? Ad tech companies have long begun any discussion around privacy with the reminder that they don’t collect PII. One reason they take this position is that they believe companies collecting only pseudonymous data are or should be subject to a lower privacy standard as they generally have lower risk threshold.

However, I’m not sure that position makes sense anymore. The Federal Trade Commission, Federal Communications Commission and California attorney general have clearly communicated to the marketplace that as far as they’re concerned, everything collected by tech companies is personal data. So it follows that an email address, a hashed email address and an IP address are essentially the same. If all these data points are effectively treated the same way by regulators, then what is the privacy advantage for ad tech companies treating them differently?

If this isn’t the outcome the FTC is seeking based upon recent public statements, now would be a good time for additional clarification.

Is There A Business Benefit To Owning The Identity Graph?

One of the key areas of growth in digital advertising in 2017 will involve leveraging the link between the pseudonymous and the PII worlds. The question in my mind is, which companies will be in position to create such a link?

Google and Facebook have already built the first version of their respective identity graphs. And there are a whole host of other companies that are beginning to build their own graphs. Some of those firms have a database marketing background, including Acxiom’s Live Ramp and Experian. I suspect pretty soon we’ll see some of the larger mar tech companies move further into this space. All of those companies have one thing in common: They recognize that the path to building a stable and reliable link between the known (PII) and unknown (pseudonymous) worlds will necessitate the use of PII. And the prospect of leveraging PII in this way will push many in ad tech well beyond their comfort zone.

I’m fairly sure that we’ll begin to see more ad tech companies bring some of their PII data onboarding activities in-house. But that really only represents a portion of the identity graph. I’ll be interested to see how many in ad tech will go all in toward including PII in their platforms to build their own identity graphs. Given current growth trends, I suspect that at least a few ad tech CEOs will look back 18 months from now wishing they had.